The Oatmeal is a constant source of amusement for me. I use his ‘TumBeast’ for the ‘404 – not found’ error pages on my company web site. He’s a big fan of Nikola Tesla, and enjoys using ridicule to make his point.
One of my favourite Oatmeal strips is about the agony of trying to fix computer problems: How to fix any computer. Having both experienced and attempted to fix many problems on Windows, Mac and Linux computers, I can confirm that he’s not exaggerating. Well, not much.
The latest version of Google’s web browser is 39.0.2171.65. The new version of Chrome fixes forty-two security issues and includes a few other fixes and improvements. If you use Chrome, you should allow it to update itself as soon as possible.
Two of the updates originally scheduled for release last week for Patch Tuesday were held back. Yesterday one of those updates was released. MS14-068 addresses security vulnerabilities in all versions of Windows. We recommend installing the update as soon as possible.
Brian Krebs has additional details, as does Ars Technica. A post on Microsoft’s Security Research and Defense Blog provides technical details of the vulnerability.
A new version of Google’s web browser was announced yesterday. Version 38.0.2125.122 fixes some bugs, and updates the embedded Flash to the latest version. Apparently there are no security fixes in this version, although the updated Flash does include security fixes.
Yesterday Microsoft released fourteen updates, addressing 33 CVEs in Windows, Internet Explorer, Office, .NET, Internet Information Services, Remote Desktop Protocol, Active Directory Federation Services, Input Method Editor, and Kernel Mode Driver. Four of the updates are flagged as Critical. You can find all the details in the main bulletin.
Two of the expected sixteen updates (MS14-068 and MS14-075) were held back by Microsoft, with release dates for those updates now being shown as ‘Release date to be determined’.
In keeping with its new monthly update policy, Adobe released a new version of Flash yesterday. Flash 15.0.0.223 addresses several security vulnerabilities in previous versions.
Brian Krebs has additional analysis of these updates.
Update 2014Nov15: One of the updates in this batch addresses a serious vulnerability that exists on all versions of Windows. MS14-066 fixes a bug in the way secure connections are handled by the Microsoft secure channel (schannel) security component. Most of the focus has been on Windows servers, especially those running Microsoft’s web server software, Internet Information Services (IIS). However, according to some sources, any Windows computer that is configured to accept secure network connections is potentially vulnerable. Recommendation: if you’re running any Internet-facing service on a Windows computer, install this patch ASAP. Ars Technica has additional details.
Update 2014Nov15: Another of this month’s patches (MS14-064) addresses problems with a previous patch (MS14-060). McAfee has a detailed breakdown of the problems with MS14-060.
Update 2014Nov19: MS14-068 was released.
Update 2014Nov26: Apparently the MS14-066 update caused problems for some Windows servers. Microsoft added a workaround to the update bulletin that should resolve one of the problems, but has yet to acknowledge the performance problems reported in SQL Server and IIS. InfoWorld has additional details.
If you’re using Internet Explorer 11 on Windows 7 or 8, and you are also running EMET 5.0, you should install the EMET 5.1 update before you install the November Microsoft updates.
Another new version of Firefox was released yesterday: 33.1.
According to the release notes, new features in version 33.1 include a ‘forget’ button, and the ability to use DuckDuckGo as the default search engine. These changes are in keeping with Mozilla’s push to improve privacy in the browser: the Forget button allows the user to remove cookies and history related to recent browsing, and DuckDuckGo’s search engine does not remember searches.
As usual, there was no formal announcement. There was an associated post on the main Mozilla blog, but that post makes no reference to the new version.
On a more positive note, the What’s New section of the release notes for this version have been pruned down to show only changes in this version, although the link to ‘all changes’ still shows about 3500 Bugzilla items, making it essentially useless.
This month’s ‘Ouch!’ newsletter (PDF) from SANS explains social engineering – the process by which nefarious persons obtain private information by non-technical means.
A must-read for anyone unclear on the concept of social engineering, this issue also provides tips for recognizing this behaviour.
Ars Technica’s monthly look at operating system and browser market share was delayed slightly this month as they investigated an unexpected blip in the numbers for Windows 8 and XP. It turns out that the new numbers really are more accurate, and they show that Windows 8 isn’t doing quite as badly as previously thought. In fact, Windows 8 is doing about as well as the ancient and no longer supported Windows XP.
Next Tuesday Microsoft plans to publish 16 Security Bulletins, five of which are flagged as Critical. The updates affect Windows, Internet Explorer, Office, Exchange, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).
boot13